CISM renewal requirements: How to maintain your certification

The Certified Information Security Manager (CISM) certification stands out as a management-focused credential that meets the professional expectations and goals of hiring organizations. It verifies that the certificate holder possesses the knowledge to manage, design, supervise, and assess enterprise information security programs. Understanding the CISM renewal requirements is essential for maintaining this valuable credential throughout your career.

$150,040 average salary

ISACA CISM is one of the industry's highest-paying cybersecurity certifications. Take your information security management career to new heights and enroll now to claim your Exam Pass Guarantee!

View Pricing

CISM certification fundamentals

The CISM certification covers four domains of knowledge:

• Information security governance (17%)
• Information security risk management (20%)
• Information security program (33%)
• Incident management (30%)

To register for the CISM exam, you must visit the ISACA website to complete a registration form and submit payment. The CISM exam registration process is computer-based and administered at authorized PSI testing centers globally. Registration is continuous, allowing candidates to register at any time and schedule as early as 48 hours after paying registration fees. The fee to register for the CISM certification exam is $575 for ISACA members and $760 for non-members.

CISM renewal requirements

To renew your CISM certification, you must earn and report the required continuing professional education (CPE) hours over a three-year cycle and pay annual maintenance fees of $45 for members and $85 for non-members. The CISM recertification process ensures certificate holders maintain current knowledge and skills in the rapidly changing information security field.

CISMs who cannot work due to hardship, disability, illness or other personal issues can apply for "non-practicing" status. While non-practicing CISMs must still pay annual CISM maintenance fees, they are exempt from completing CPE hours. This status must be requested the same year the certification holder leaves the profession and officially begins at the start of the calendar year. Applications for non-practicing status must be submitted to ISACA along with a CISM invoice and payment.

Certification maintenance requirements

After passing the CISM exam, maintaining your professional credential renewal requires ongoing professional development maintenance. The CISM CPE requirements ensure you maintain an adequate level of skill, knowledge, and proficiency. This commitment to continuing professional education offers numerous benefits and helps you remain engaged, prepared, and successful in the information security field.

You must complete specific requirements over your certification cycle to maintain your CISM certification. Failure to meet these expectations may result in the immediate revocation of your certificate:

• Complete and document a minimum of 20 CPE hours annually in relevant CISM domains. These hours can satisfy requirements for multiple ISACA certifications when applicable.
• Submit annual maintenance fees to ISACA international headquarters.
• Complete and document a minimum of 120 CPE hours over the three-year reporting period. This period typically begins January 1st and is indicated on your annual invoice confirming compliance. Certification holders are responsible for reporting any errors directly to ISACA.
• Provide documentation of CPE activities if audited. CISMs may be randomly selected to provide evidence of previously reported activities. The CISM Certification Committee will determine if the audit is approved and may revoke certifications not in compliance.
• Comply with ISACA's Code of Professional Ethics:
  • Support and comply with appropriate governance and management standards for information systems and technology
  • Perform duties objectively with diligence and care
  • Lawfully serve stakeholders' interests and maintain high personal conduct standards
  • Protect information privacy and avoid using it for personal benefit
  • Approach all undertakings with a realistic completion mindset
  • Ensure all important facts and findings are disclosed to employers
  • Support stakeholders' professional education by enhancing their understanding of enterprise information systems governance and management

Qualifying activities for CISM recertification

The CISM recertification process accepts various educational activities demonstrating ongoing security knowledge currency. Regular job duties cannot be used to meet these requirements, but the CISM Certification Committee has approved the following CPE activities:

• Active participation—with attendance verification—in ISACA conferences, seminars, workshops, chapter programs, and related meetings
• Participation in corporate training, university courses, or non-ISACA conferences related to information security
• Completion of self-study courses specifically designed for CPE credits, including online learning, trade shows, webinars, and other educational formats
• Development of presentations on management, design, or assessment of enterprise information security
• Publication of material directly related to information security management in formal publications or websites (copy must be available upon request)
• Development and review of CISM exam items and materials
• Contributing 20 hours annually to information security work for ISACA or other professional entities
• Mentoring activities, including coaching, performance reviews, CISM exam preparation assistance and guidance through the credentialing process

Returning to active status

Before resuming work, CISMs wishing to return to "active status" must apply through the ISACA Certification Department. If the status change occurs within two years of the initial status change, they can submit documentation for the required 20 CPE hours.

For status changes occurring more than two years after the initial change, CISMs must submit an active status application and earn 120 CPE hours over three years. Additionally, they must obtain one year of relevant work experience and submit a verification form signed by a supervisor. All non-practicing CISMs will maintain that status until their new status is approved in writing.

Earn a $150,040 Salary with an ISACA CISM

The employment of information systems managers is projected to grow 16% by 2031. Get your ISACA CISM to launch into the field — backed with an Exam Pass Guarantee.

Learn More

Advance your information security career with CISM

Understanding and following the CISM renewal process ensures you maintain this valuable credential throughout your career. The CISM requirements for ongoing education help you stay current in the information security field while demonstrating your commitment to professional growth.

Looking to explore where your CISM credential might take you? Check out potential CISM career options to understand how maintaining your certification can support your professional advancement.

For more information about CISM certification maintenance or to begin your CISM journey, visit Infosec’s CISM hub.